Third vote consensus in a cluster using shared storage devices

ABSTRACT

A third vote consensus technique enables a first node, i.e., a surviving node, of a two-node cluster to establish a quorum and continue to operate in response to failure of a second node of the cluster. Each node maintains configuration information organized as a cluster database (CDB) which may be changed according to a consensus-based protocol. Changes to the CDB are logged on a third copy file system (TCFS) stored on a local copy of TCFS (L-TCFS). A shared copy of the TCFS (i.e., S-TCFS) may be stored on shared storage devices of one or more storage arrays coupled to the nodes. The local copy of the TCFS (i.e., L-TCFS) represents a quorum vote for each node of the cluster, while the S-TCFS represents an additional “tie-breaker” vote of a consensus-based protocol. The additional vote may be obtained from the shared storage devices by the surviving node as a third vote to establish the quorum and enable the surviving node to cast two of three votes (i.e., a majority of votes) needed to continue operation of the cluster. That is, the majority of votes allows the surviving node to update the CDB with the configuration information changes so as to continue proper operation of the cluster.

RELATED APPLICATION

The present application is a continuation of U.S. patent application Ser. No. 14/924,318, entitled Third Vote Consensus In A Cluster Using Shared Storage Devices, filed on Oct. 27, 2015 by Bob Schatz et al., the contents of which are incorporated by reference herein in their entirety.

BACKGROUND Technical Field

The present disclosure relates to storage systems and, more specifically, to establishment of a quorum in a cluster of storage systems.

Background Information

A storage system typically includes one or more storage devices, such as solid state drives (SSDs) embodied as flash storage devices, into which information (i.e., data) may be entered, and from which data may be obtained, as desired. The storage system (i.e., node) may logically organize the data stored on the devices as storage containers, such as files and/or logical units (LUNs). To improve the performance and availability of the data contained in the storage containers, a plurality of nodes may be interconnected as a cluster configured to provide storage service relating to the organization of the storage containers and with the property that when one node fails another node (i.e., the surviving node) may service data access requests, i.e., operations, directed to the failed node's storage containers. However, more than one surviving node (which may include a node that the cluster had incorrectly determine as failed) may attempt to service the data access requests directed to the failed node's storage container, which may result in data corruption. Typically, this may be solved using a quorum; however, for small clusters, this approach is inefficient (or even fails), as losing a single node may result in an inability to establish a quorum so as to continue to serve data.

Typically, failover in a cluster depends on a quorum to guarantee that no two disjoint sets of nodes within the cluster each attempt to make progress (e.g., write to the storage devices) on their own, potentially leading to data corruption. The quorum may be implemented as a voting scheme, where each node in the cluster is granted a number of votes (e.g., one) and as long as a majority of votes allocated across the cluster is cast among non-failing nodes (surviving nodes), the surviving nodes may continue to operate as the cluster and make progress. However, for a small, e.g., two-node, cluster where each node has a single quorum vote, a failure to a node results in the surviving node not having a sufficient number of votes to constitute a majority, thus preventing proper operation of the cluster.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and further advantages of the embodiments herein may be better understood by referring to the following description in conjunction with the accompanying drawings in which like reference numerals indicate identically or functionally similar elements, of which:

FIG. 1 is a block diagram of a plurality of nodes interconnected as a cluster;

FIG. 2 is a block diagram of a node;

FIG. 3 is a block diagram of a storage input/output (I/O) stack of the node;

FIG. 4 illustrates a write path of the storage I/O stack;

FIG. 5 illustrates a read path of the storage I/O stack;

FIG. 6 illustrates a high availability (HA) partner arrangement in a multi-node cluster;

FIG. 7A illustrates a third vote consensus technique for a node cluster during nominal operation; and

FIGS. 7B and 7C illustrate a third vote consensus technique for a two-node cluster during failure of a node.

OVERVIEW

The embodiments herein provide a “third vote” (i.e., a tie-breaking vote) consensus technique for small clusters that lack a quorum to determine a failover node. The “third vote” illustratively represents one or more floating votes in the cluster that are not permanently assigned to a specific node. Depending on the number of nodes in the cluster, the tie-breaking vote may not be a numerically third vote. For example, for a two-node cluster, the technique enables a first node, i.e., a surviving node, to establish a quorum and continue to operate (i.e., takeover storage services) in response to failure of a second node of the cluster. Each node maintains configuration information organized as a cluster database (CDB), which may be changed according to a consensus-based protocol (e.g., Raft). Changes to the CDB are logged on a third copy file system (TCFS) stored on a local service storage device of the node, i.e., a local copy of TCFS (L-TCFS). In addition, a shared copy of the TCFS (i.e., S-TCFS) may be stored on shared storage devices of one or more storage arrays coupled to the nodes. In other words, the L-TCFS is accessible to the local node, whereas the S-TCFS is accessible by all nodes of the cluster. Illustratively, the local copy of the TCFS (i.e., L-TCFS) represents a quorum vote for each node of the cluster in order to effect changes to the CDB (e.g., establish takeover from the failed node), while the S-TCFS represents an additional “tie-breaker” vote of the consensus-based protocol. The additional vote may be obtained from the shared storage devices by the surviving node as an additional, i.e., third vote, to establish the quorum and enable the surviving node to cast two of three votes (i.e., a majority of votes) needed to continue operation of the cluster. That is, the majority of votes allows the surviving node to update the CDB with the configuration information changes so as to continue proper operation of the cluster (i.e., successfully takeover from the failed node).

Although both nodes have access to the shared storage devices (via non-exclusive disk reservations), only one node of the cluster may obtain and become an owner of the S-TCFS and, thus, cast an additional vote according to the consensus-based protocol. For example, if the non-owner node of S-TCFS fails, the owner node may still cast two votes, e.g., its L-TCFS vote and the S-TCFS vote, and the cluster may continue to operate. However, if the owner node of S-TCFS fails, the non-owner node (i.e., the surviving node) may claim the tie-breaker vote through a “get out the vote” (GOTV) operation that fences (i.e., disallows access to) the failed node from the shared storage devices, thus preventing the failed node from attempting to claim the S-TCFS. Fencing may be implemented using exclusive disk reservations that are asserted on the shared storage devices by the surviving node in a predetermined order to prevent a situation where each node fences a subset of the devices, resulting in deadlock. As part of the GOTV operation, the surviving node takes control of the S-TCFS and claims the third vote needed to continue operation of the cluster.

DESCRIPTION

Storage Cluster

FIG. 1 is a block diagram of a plurality of nodes 200 interconnected as a cluster 100 and configured to provide storage service relating to the organization of information on storage devices. The nodes 200 may be interconnected by a cluster interconnect fabric 110 and include functional components that cooperate to provide a distributed storage architecture of the cluster 100, which may be deployed in, but not limited to, a storage area network (SAN). As described herein, the components of each node 200 include hardware and software functionality that enable the node to connect to one or more hosts 120 over a computer network 130, as well as to one or more storage arrays 150 of shared storage devices over a storage interconnect 140, to thereby render the storage service in accordance with the distributed storage architecture.

Each host 120 may be embodied as a general-purpose computer configured to interact with any node 200 in accordance with a client/server model of information delivery. That is, the client (host) may request the services of the node, and the node may return the results of the services requested by the host, by exchanging packets over the network 130. The host may issue packets including file-based access protocols, such as the Network File System (NFS) protocol over the Transmission Control Protocol/Internet Protocol (TCP/IP), when accessing information on the node in the form of storage containers such as files and directories. However, in an embodiment, the host 120 illustratively issues packets including block-based access protocols, such as the Small Computer Systems Interface (SCSI) protocol encapsulated over TCP (iSCSI) and SCSI encapsulated over FC (FCP), when accessing information in the form of storage containers such as logical units (LUNs). Notably, any of the nodes 200 may service a request directed to a storage container stored on the cluster 100.

FIG. 2 is a block diagram of a node 200 that is illustratively embodied as a storage system having one or more central processing units (CPUs) 210 coupled to a memory 220 via a memory bus 215. The CPU 210 is also coupled to a network adapter 230, storage controllers 240, a cluster interconnect interface 250, and a non-volatile random access memory (NVRAM 280) via a system interconnect 270. The network adapter 230 may include one or more ports adapted to couple the node 200 to the host(s) 120 over computer network 130, which may include point-to-point links, wide area networks, virtual private networks implemented over a public network (Internet) or a local area network. The network adapter 230 thus includes the mechanical, electrical and signaling circuitry needed to connect the node to the network 130, which illustratively embodies an Ethernet or Fibre Channel (FC) network.

The memory 220 may include memory locations that are addressable by the CPU 210 for storing software programs and data structures associated with the embodiments described herein. The CPU 210 may, in turn, include processing elements and/or logic circuitry configured to execute the software programs, such as a storage input/output (I/O) stack 300, and manipulate the data structures. Illustratively, the storage I/O stack 300 may be implemented as a set of user mode processes that may be decomposed into a plurality of threads. An operating system kernel 224, portions of which are typically resident in memory 220 (in-core) and executed by the processing elements (i.e., CPU 210), functionally organizes the node by, inter alia, invoking operations in support of the storage service implemented by the node and, in particular, the storage I/O stack 300. A suitable operating system kernel 224 may include a general-purpose operating system, such as the UNIX® series or Microsoft Windows® series of operating systems, or an operating system with configurable functionality such as microkernels and embedded kernels. However, in an embodiment described herein, the operating system kernel is illustratively the Linux® operating system. It will be apparent to those skilled in the art that other processing and memory means, including various computer readable media, may be used to store and execute program instructions pertaining to the embodiments herein.

Each storage controller 240 cooperates with the storage I/O stack 300 executing on the node 200 to access information requested by the host 120. The information is preferably stored on shared storage devices such as hard disk drives (HDDs) and/or solid state drives (SSDs) 260, the latter of which are illustratively embodied as flash storage devices, of storage array 150. In an embodiment, the flash storage devices may be based on NAND flash components, e.g., single-layer-cell (SLC) flash, multi-layer-cell (MLC) flash or triple-layer-cell (TLC) flash, although it will be understood to those skilled in the art that other non-volatile, solid-state electronic devices (e.g., drives based on storage class memory components) may be advantageously used with the embodiments described herein. Accordingly, the storage devices may or may not be block-oriented (i.e., accessed as blocks). The storage controller 240 includes one or more ports having I/O interface circuitry that couples to the SSDs 260 over the storage interconnect 140, illustratively embodied as a serial attached SCSI (SAS) topology. Alternatively, other point-to-point I/O interconnect arrangements, such as a conventional serial ATA (SATA) topology or a PCI topology, may be used. The system interconnect 270 may also couple the node 200 to a local service storage device 248, such as an SSD, configured to locally store cluster-related configuration information, e.g., as cluster database (CDB) 244, which may be replicated to the other nodes 200 in the cluster 100.

The cluster interconnect interface 250 may include one or more ports adapted to couple the node 200 to the other node(s) of the cluster 100. In an embodiment, Ethernet may be used as the clustering protocol and interconnect fabric media, although it will be apparent to those skilled in the art that other types of protocols and interconnects, such as Infiniband, may be utilized within the embodiments described herein. The NVRAM 280 may include a back-up battery or other built-in last-state retention capability (e.g., non-volatile semiconductor memory such as storage class memory) that is capable of maintaining data in light of a failure to the node and cluster environment. Illustratively, a portion of the NVRAM 280 may be configured as one or more non-volatile logs (NVLogs 285) configured to temporarily record (“log”) I/O requests, such as write requests, received from the host 120.

Storage I/O Stack

FIG. 3 is a block diagram of the storage I/O stack 300 that may be advantageously used with one or more embodiments described herein. The storage I/O stack 300 includes a plurality of software modules or layers that cooperate with other functional components of the nodes 200 to provide the distributed storage architecture of the cluster 100. In an embodiment, the distributed storage architecture presents an abstraction of a single storage container, i.e., all of the storage arrays 150 of the nodes 200 for the entire cluster 100 organized as one large pool of storage. In other words, the architecture consolidates storage, i.e., the SSDs 260 of the arrays 150, throughout the cluster (retrievable via cluster-wide keys) to enable storage of the LUNs. Both storage capacity and performance may then be subsequently scaled by adding nodes 200 to the cluster 100.

Illustratively, the storage I/O stack 300 includes an administration layer 310, a protocol layer 320, a persistence layer 330, a volume layer 340, an extent store layer 350, a Redundant Array of Independent Disks (RAID) layer 360, a storage layer 365 and a NVRAM (storing NVLogs) “layer” interconnected with a messaging kernel 370. The messaging kernel 370 may provide a message-based (or event-based) scheduling model (e.g., asynchronous scheduling) that employs messages as fundamental units of work exchanged (i.e., passed) among the layers. Suitable message-passing mechanisms provided by the messaging kernel to transfer information between the layers of the storage I/O stack 300 may include, e.g., for intra-node communication: i) messages that execute on a pool of threads, ii) messages that execute on a single thread progressing as an operation through the storage I/O stack, iii) messages using an Inter Process Communication (IPC) mechanism, and, e.g., for inter-node communication: messages using a Remote Procedure Call (RPC) mechanism in accordance with a function shipping implementation. Alternatively, the I/O stack may be implemented using a thread-based or stack-based execution model. In one or more embodiments, the messaging kernel 370 allocates processing resources from the operating system kernel 224 to execute the messages. Each storage I/O stack layer may be implemented as one or more instances (i.e., processes) executing one or more threads (e.g., in kernel or user space) that process the messages passed between the layers such that the messages provide synchronization for blocking and non-blocking operation of the layers.

In an embodiment, the protocol layer 320 may communicate with the host 120 over the network 130 by exchanging discrete frames or packets configured as I/O requests according to pre-defined protocols, such as iSCSI and FCP. An I/O request, e.g., a read or write request, may be directed to a LUN and may include I/O parameters such as, inter alia, a LUN identifier (ID), a logical block address (LB A) of the LUN, a length (i.e., amount of data) and, in the case of a write request, write data. The protocol layer 320 receives the I/O request and forwards it to the persistence layer 330, which records the request into a persistent write-back cache 380 illustratively embodied as a log whose contents can be replaced randomly, e.g., under some random access replacement policy rather than only in serial fashion, and returns an acknowledgement to the host 120 via the protocol layer 320. In an embodiment only I/O requests that modify the LUN, e.g., write requests, are logged. Notably, the I/O request may be logged at the node receiving the I/O request, or in an alternative embodiment in accordance with the function shipping implementation, the I/O request may be logged at another node.

Illustratively, dedicated logs may be maintained by the various layers of the storage I/O stack 300. For example, a dedicated log 335 may be maintained by the persistence layer 330 to record the I/O parameters of an I/O request as equivalent internal, i.e., storage I/O stack, parameters, e.g., volume ID, offset, and length. In the case of a write request, the persistence layer 330 may also cooperate with the NVRAM 280 to implement the write-back cache 380 configured to store the write data associated with the write request. In an embodiment, the write-back cache may be structured as a log. Notably, the write data for the write request may be physically stored in the cache 380 such that the log 335 contains the reference to the associated write data. It will be understood to persons skilled in the art that other variations of data structures may be used to store or maintain the write data in NVRAM including data structures with no logs. In an embodiment, a copy of the write-back cache may be also maintained in the memory 220 to facilitate direct memory access to the storage controllers. In other embodiments, caching may be performed at the host 120 or at a receiving node in accordance with a protocol that maintains coherency between the data stored at the cache and the cluster.

In an embodiment, the administration layer 310 may apportion the LUN into multiple volumes, each of which may be partitioned into multiple regions (e.g., allotted as disjoint block address ranges), with each region having one or more segments stored as multiple stripes on the array 150. A plurality of volumes distributed among the nodes 200 may thus service a single LUN, i.e., each volume within the LUN services a different LBA range (i.e., offset range and length, hereinafter offset range) or set of ranges within the LUN. Accordingly, the protocol layer 320 may implement a volume mapping technique to identify a volume to which the I/O request is directed (i.e., the volume servicing the offset range indicated by the parameters of the I/O request). Illustratively, the cluster database 244 may be configured to maintain one or more associations (e.g., key-value pairs) for each of the multiple volumes, e.g., an association between the LUN ID and a volume, as well as an association between the volume and a node ID for a node managing the volume. The administration layer 310 may also cooperate with the database 244 to create (or delete) one or more volumes associated with the LUN (e.g., creating a volume ID/LUN key-value pair in the database 244). Using the LUN ID and LBA (or LBA range), the volume mapping technique may provide a volume ID (e.g., using appropriate associations in the cluster database 244) that identifies the volume and node servicing the volume destined for the request as well as translate the LBA (or LBA range) into an offset and length within the volume. Specifically, the volume ID is used to determine a volume layer instance that manages volume metadata associated with the LBA or LBA range. As noted, the protocol layer 320 may pass the I/O request (i.e., volume ID, offset and length) to the persistence layer 330, which may use the function shipping (e.g., inter-node) implementation to forward the I/O request to the appropriate volume layer instance executing on a node in the cluster based on the volume ID.

In an embodiment, the volume layer 340 may manage the volume metadata by, e.g., maintaining states of host-visible containers, such as ranges of LUNs, and performing data management functions, such as creation of snapshots and clones, for the LUNs in cooperation with the administration layer 310. The volume metadata is illustratively embodied as in-core mappings from LUN addresses (i.e., offsets) to durable extent keys, which are unique cluster-wide IDs associated with SSD storage locations for extents within an extent key space of the cluster-wide storage container. That is, an extent key may be used to retrieve the data of the extent at an SSD storage location associated with the extent key. Alternatively, there may be multiple storage containers in the cluster wherein each container has its own extent key space, e.g., where the administration layer 310 provides distribution of extents among the storage containers. An extent is a variable length block of data that provides a unit of storage on the SSDs and that need not be aligned on any specific boundary, i.e., it may be byte aligned. Accordingly, an extent may be an aggregation of write data from a plurality of write requests to maintain such alignment. Illustratively, the volume layer 340 may record the forwarded request (e.g., information or parameters characterizing the request), as well as changes to the volume metadata, in dedicated log 345 maintained by the volume layer 340. Subsequently, the contents of the volume layer log 345 may be written to the storage array 150 in accordance with a checkpoint (e.g., synchronization) operation that stores in-core metadata on the array 150. That is, the checkpoint operation (checkpoint) ensures that a consistent state of metadata, as processed in-core, is committed to (i.e., stored on) the storage array 150; whereas retirement of log entries ensures that the entries accumulated in the volume layer log 345 synchronize with the metadata checkpoints committed to the storage array 150 by, e.g., retiring those accumulated log entries prior to the checkpoint. In one or more embodiments, the checkpoint and retirement of log entries may be data driven, periodic or both.

In an embodiment, the extent store layer 350 is responsible for storing extents on the SSDs 260 (i.e., on the storage array 150) and for providing the extent keys to the volume layer 340 (e.g., in response to a forwarded write request). The extent store layer 350 is also responsible for retrieving data (e.g., an existing extent) using an extent key (e.g., in response to a forwarded read request). The extent store layer 350 may be responsible for performing de-duplication and compression on the extents prior to storage. The extent store layer 350 may maintain in-core mappings (e.g., embodied as hash tables) of extent keys to SSD storage locations (e.g., offset on an SSD 260 of array 150). The extent store layer 350 may also maintain a dedicated log 355 of entries that accumulate requested “put” and “delete” operations (i.e., write requests and delete requests for extents issued from other layers to the extent store layer 350), where these operations change the in-core mappings (i.e., hash table entries). Subsequently, the in-core mappings and contents of the extent store layer log 355 may be written to the storage array 150 in accordance with a “fuzzy” checkpoint 390 (i.e., checkpoint with incremental changes recorded in one or more log files) in which selected in-core mappings (less than the total), are committed to the array 150 at various intervals (e.g., driven by an amount of change to the in-core mappings, size thresholds of log 355, or periodically). Notably, the accumulated entries in log 355 may be retired once all in-core mappings have been committed to include the changes recorded in those entries.

In an embodiment, the RAID layer 360 may organize the SSDs 260 within the storage array 150 as one or more RAID groups (e.g., sets of SSDs) that enhance the reliability and integrity of extent storage on the array by writing data “stripes” having redundant information, i.e., appropriate parity information with respect to the striped data, across a given number of SSDs 260 of each RAID group. The RAID layer 360 may also store a number of stripes (e.g., stripes of sufficient depth), e.g., in accordance with a plurality of contiguous range write operations, so as to reduce data relocation (i.e., internal flash block management) that may occur within the SSDs as a result of the operations. In an embodiment, the storage layer 365 implements storage I/O drivers that may communicate directly with hardware (e.g., the storage controllers and cluster interface) cooperating with the operating system kernel 224, such as a Linux virtual function I/O (VFIO) driver.

Write Path

FIG. 4 illustrates an I/O (e.g., write) path 400 of the storage I/O stack 300 for processing an I/O request, e.g., a SCSI write request 410. The write request 410 may be issued by host 120 and directed to a LUN stored on the storage arrays 150 of the cluster 100. Illustratively, the protocol layer 320 receives and processes the write request by decoding 420 (e.g., parsing and extracting) fields of the request, e.g., LUN ID, LBA and length (shown at 413), as well as write data 414. The protocol layer 320 may use the results 422 from decoding 420 for a volume mapping technique 430 (described above) that translates the LUN ID and LBA range (i.e., equivalent offset and length) of the write request to an appropriate volume layer instance, i.e., volume ID (volume 445), in the cluster 100 that is responsible for managing volume metadata for the LBA range. In an alternative embodiment, the persistence layer 330 may implement the above described volume mapping technique 430. The protocol layer then passes the results 432, e.g., volume ID, offset, length (as well as write data), to the persistence layer 330, which is records the request in the persistence layer log 335 and returns an acknowledgement to the host 120 via the protocol layer 320. The persistence layer 330 may aggregate and organize write data 414 from one or more write requests into a new extent 610 and perform a hash computation, i.e., a hash function, on the new extent to generate a hash value 472 in accordance with an extent hashing technique 474.

The persistence layer 330 may then pass the write request with aggregated write data including, e.g., the volume ID, offset and length, as parameters 434 to the appropriate volume layer instance. In an embodiment, message passing of the parameters 434 (received by the persistence layer) may be redirected to another node via the function shipping mechanism, e.g., RPC, for inter-node communication. Alternatively, message passing of the parameters 434 may be via the IPC mechanism, e.g., message threads, for intra-node communication.

In one or more embodiments, a bucket mapping technique 476 is provided that translates the hash value 472 to an instance of an appropriate extent store layer (i.e., extent store instance 478) that is responsible for storing the new extent 470. Note, the bucket mapping technique may be implemented in any layer of the storage I/O stack above the extent store layer. In an embodiment, for example, the bucket mapping technique may be implemented in the persistence layer 330, the volume layer 340, or a layer that manages cluster-wide information, such as a cluster layer (not shown). Accordingly, the persistence layer 330, the volume layer 340, or the cluster layer may contain computer executable instructions executed by the CPU 210 to perform operations that implement the bucket mapping technique 476 described herein. The persistence layer 330 may then pass the hash value 472 and the new extent 470 to the appropriate volume layer instance and onto the appropriate extent store instance via an extent store put operation. The extent hashing technique 474 may embody an approximately uniform hash function to ensure that any random extent to be written may have an approximately equal chance of falling into any extent store instance 478, i.e., hash buckets are distributed across extent store instances of the cluster 100 based on available resources. As a result, the bucket mapping technique 476 provides load-balancing of write operations (and, by symmetry, read operations) across nodes 200 of the cluster, while also leveling flash wear in the SSDs 260 of the cluster.

In response to the put operation, the extent store instance may process the hash value 472 to perform an extent metadata selection technique 480 that (i) selects an appropriate hash table 482 (e.g., hash table 482 a) from a set of hash tables (illustratively in-core) within the extent store instance 478, and (ii) extracts a hash table index 484 from the hash value 472 to index into the selected hash table and lookup a table entry having an extent key 475 identifying a storage location 490 on SSD 260 for the extent. Accordingly, the extent store layer 350 contains computer executable instructions executed by the CPU 210 to perform operations that implement the extent metadata selection technique 480 described herein. If a table entry with a matching extent key is found, then the SSD location 490 mapped from the extent key 475 is used to retrieve an existing extent (not shown) from SSD. The existing extent is then compared with the new extent 470 to determine whether their data is identical. If the data is identical, the new extent 470 is already stored on SSD 260 and a de-duplication opportunity (denoted de-duplication 452) exists such that there is no need to write another copy of the data. Accordingly, a reference count in the table entry for the existing extent is incremented and the extent key 475 of the existing extent is passed to the appropriate volume layer instance for storage within an entry (denoted as volume metadata entry 446) of a dense tree metadata structure 444 (e.g., dense tree 444 a), such that the extent key 475 is associated an offset range 440 (e.g., offset range 440 a) of the volume 445.

However, if the data of the existing extent is not identical to the data of the new extent 470, a collision occurs and a deterministic algorithm is invoked to sequentially generate as many new candidate extent keys (not shown) mapping to the same bucket as needed to either provide de-duplication 452 or to produce an extent key that is not already stored within the extent store instance. Notably, another hash table (e.g. hash table 482 n) may be selected by a new candidate extent key in accordance with the extent metadata selection technique 480. In the event that no de-duplication opportunity exists (i.e., the extent is not already stored) the new extent 470 is compressed in accordance with compression technique 454 and passed to the RAID layer 360, which processes the new extent 470 for storage on SSD 260 within one or more stripes 464 of RAID group 466. The extent store instance may cooperate with the RAID layer 360 to identify a storage segment 460 (i.e., a portion of the storage array 150) and a location on SSD 260 within the segment 460 in which to store the new extent 470. Illustratively, the identified storage segment is a segment with a large contiguous free space having, e.g., location 490 on SSD 260 b for storing the extent 470.

In an embodiment, the RAID layer 360 then writes the stripes 464 across the RAID group 466, illustratively as one or more full stripe writes 462. The RAID layer 360 may write a series of stripes 464 of sufficient depth to reduce data relocation that may occur within the flash-based SSDs 260 (i.e., flash block management). The extent store instance then (i) loads the SSD location 490 of the new extent 470 into the selected hash table 482 n (i.e., as selected by the new candidate extent key), (ii) passes a new extent key (denoted as extent key 475) to the appropriate volume layer instance for storage within an entry (also denoted as volume metadata entry 446) of a dense tree 444 managed by that volume layer instance, and (iii) records a change to extent metadata of the selected hash table in the extent store layer log 355. Illustratively, the volume layer instance selects dense tree 444 a spanning an offset range 440 a of the volume 445 that encompasses the offset range of the write request. As noted, the volume 445 (e.g., an offset space of the volume) is partitioned into multiple regions (e.g., allotted as disjoint offset ranges); in an embodiment, each region is represented by a dense tree 444. The volume layer instance then inserts the volume metadata entry 446 into the dense tree 444 a and records a change corresponding to the volume metadata entry in the volume layer log 345. Accordingly, the I/O (write) request is sufficiently stored on SSD 260 of the cluster.

Read Path

FIG. 5 illustrates an I/O (e.g., read) path 500 of the storage I/O stack 300 for processing an I/O request, e.g., a SCSI read request 510. The read request 510 may be issued by host 120 and received at the protocol layer 320 of a node 200 in the cluster 100. Illustratively, the protocol layer 320 processes the read request by decoding 420 (e.g., parsing and extracting) fields of the request, e.g., LUN ID, LBA, and length (shown at 513), and uses the decoded results 522, e.g., LUN ID, offset, and length, for the volume mapping technique 430. That is, the protocol layer 320 may implement the volume mapping technique 430 (described above) to translate the LUN ID and LBA range (i.e., equivalent offset and length) of the read request to an appropriate volume layer instance, i.e., volume ID (volume 445), in the cluster 100 that is responsible for managing volume metadata for the LBA (i.e., offset) range. The protocol layer then passes the results 532 to the persistence layer 330, which may search the write-back cache 380 to determine whether some or all of the read request can be serviced from its cached data. If the entire request cannot be serviced from the cached data, the persistence layer 330 may then pass the remaining portion of the request including, e.g., the volume ID, offset and length, as parameters 534 to the appropriate volume layer instance in accordance with the function shipping mechanism (e.g., RPC, for inter-node communication) or the IPC mechanism (e.g., message threads, for intra-node communication).

The volume layer instance may process the read request to access a dense tree metadata structure 444 (e.g., dense tree 444 a) associated with a region (e.g., offset range 440 a) of a volume 445 that encompasses the requested offset range (specified by parameters 534). The volume layer instance may further process the read request to search for (lookup) one or more volume metadata entries 446 of the dense tree 444 a to obtain one or more extent keys 475 associated with one or more extents 470 (or portions of extents) within the requested offset range. In an embodiment, each dense tree 444 may be embodied as multiple levels of a search structure with possibly overlapping offset range entries at each level. The various levels of the dense tree may have volume metadata entries 446 for the same offset, in which case, the higher level has the newer entry and is used to service the read request. A top level of the dense tree 444 is illustratively resident in-core and a page cache 448 may be used to access lower levels of the tree. If the requested range or portion thereof is not present in the top level, a metadata page associated with an index entry at the next lower tree level (not shown) is accessed. The metadata page (i.e., in the page cache 448) at the next level is then searched to find any overlapping entries. This process is then iterated until one or more volume metadata entries 446 of a level are found to ensure that the extent key(s) 475 for the entire requested read range are found. If no metadata entries exist for the entire or portions of the requested range, then the missing portion(s) are zero filled.

Once found, each extent key 475 is processed by the volume layer 340 to, e.g., implement the bucket mapping technique 476 that translates the extent key to an appropriate extent store instance 478 responsible for storing the requested extent 470. Note that, in an embodiment, each extent key 475 may be substantially identical to the hash value 472 associated with the extent 470, i.e., the hash value as calculated during the write request for the extent, such that the bucket mapping 476 and extent metadata selection 480 techniques may be used for both write and read path operations. Note also that the extent key 475 may be derived from the hash value 472. The volume layer 340 may then pass the extent key 475 (i.e., the hash value from a previous write request for the extent) to the appropriate extent store instance 478 (via an extent store get operation), which performs an extent key-to-SSD mapping to determine the location on SSD 260 for the extent.

In response to the get operation, the extent store instance may process the extent key 475 (i.e., hash value 472) to perform the extent metadata selection technique 480 that (i) selects an appropriate hash table 482 (e.g., hash table 482 a) from a set of hash tables within the extent store instance 478, and (ii) extracts a hash table index 484 from the extent key 475 (i.e., hash value 472) to index into the selected hash table and lookup a table entry having a matching extent key 475 that identifies a storage location 490 on SSD 260 for the extent 470. That is, the SSD location 490 mapped to the extent key 475 may be used to retrieve the existing extent (denoted as extent 470) from SSD 260 (e.g., SSD 260 b). The extent store instance then cooperates with the RAID layer 360 to access the extent on SSD 260 b and retrieve the data contents in accordance with the read request. Illustratively, the RAID layer 360 may read the extent in accordance with an extent read operation 468 and pass the extent 470 to the extent store instance. The extent store instance may then decompress the extent 470 in accordance with a decompression technique 456, although it will be understood to those skilled in the art that decompression can be performed at any layer of the storage I/O stack 300. The extent 470 may be stored in a buffer (not shown) in memory 220 and a reference to that buffer may be passed back through the layers of the storage I/O stack. The persistence layer may then load the extent into a read cache 580 (or other staging mechanism) and may extract appropriate read data 512 from the read cache 580 for the LBA range of the read request 510. Thereafter, the protocol layer 320 may create a SCSI read response 514, including the read data 512, and return the read response to the host 120.

High Data Availability

In an embodiment, two or more nodes 200 of the cluster may be configured to provide failover protection to each other in the event of a failure to one or more of the nodes. In order to implement such failover protection, the nodes 200 may communicate among themselves across one or more communication links, such as the cluster interconnect 110, to establish a HA partner arrangement. Each node 200 may maintain information relating to status of hardware and software associated with the node, as well as status of data access requests (operations) serviced and logged (e.g., NVlog 335) by the node. Illustratively, the status of the logged operations may indicate that the operations have not yet been committed (i.e., persistently stored) to the shared storage devices (e.g., SSDs 260) of the cluster. The information is illustratively maintained in the NVRAM 280 of the node (i.e., the local node servicing the I/O requests) and, to guarantee high data availability, copied (mirrored) over HA interconnect 610 to the NVRAM of a partner node associated with the local node in accordance with the established HA partner arrangement so as to synchronize the information between the local and partner nodes. Note that in other embodiments such synchronization may occur among three or more nodes.

FIG. 6 illustrates an HA partner arrangement 600 that facilitates high data availability in a multi-node cluster. The NVRAM 280 a,b of each node is illustratively organized into two portions. A first portion (i.e., the “LOCAL” portion) of the NVRAM may store information about the hardware and software, including logged operations, of the local node, and a second portion (i.e., the “PARTNER” portion) of the NVRAM may store similar, mirrored information associated with its partner node. For example, assume the operations include data access requests, such as write requests. The local node (e.g., node 200 a) may receive and execute (i.e., process) the operations and then record (i.e., log) the operations to the LOCAL portion of the NVRAM 280 a prior to committing the processed operations to persistent storage (e.g., SSD 260). Thereafter, the local node 200 a may mirror the operations over the HA interconnect 610 to the PARTNER portion of the NVRAM 280 b on its partner node (e.g., node 200 b) to synchronize the local and partner nodes with respect to the mirrored operations. In response to a failure of the local node, the partner node may initiate a failover that essentially takes over the storage service(s) provided by the local node. During failover of services of the local node to the partner node, various software components (e.g., layers) of the nodes may interoperate (i.e., interact) to efficiently coordinate the failover.

Typically, failover in a cluster depends on a quorum (or consensus algorithm) to guarantee that no two disjoint sets of nodes within the cluster each attempt to make progress (e.g., write to disk) on their own, potentially leading to data corruption (i.e., a “split brain” condition). The quorum may be implemented as a voting scheme, where each node in the cluster is granted a number of votes (e.g., one) and as long as a majority of votes allocated across the cluster is cast among non-failing nodes (surviving nodes) that may communicate with one another, the surviving nodes may continue to operate as the cluster and make progress. However, for a small, e.g., two-node, cluster where each node has a single quorum vote, a failure to a node results in the surviving node not having a sufficient number of votes to constitute a majority, thus preventing operation of the cluster.

Third Vote Consensus

The embodiments herein provide a “third vote” (i.e., a tie-breaking vote) consensus technique for small clusters that lack a quorum to determine a failover node. The “third vote” illustratively represents one or more floating votes in the cluster that are not permanently assigned to a specific node. Depending on the number of nodes in the cluster, the tie-breaking vote may not be a numerically third vote. For example, for a two-node cluster, the technique enables a first node, i.e., a surviving node of cluster 100, establish a quorum and continue to operate (i.e., takeover storage services) in response to failure of a second node of the cluster. Each node maintains configuration information organized as the CDB 244, which may be embodied as changes according to a consensus-based protocol. An exemplary consensus protocol is “Raft” as described in In Seach of an Understandable Consensus Algorithm (Extended Version) by D. Ongaro et. al, Proceedings of 2014 Usenix Annual Technical Conference (ATC), pp. 305-319. Changes to the CDB are logged on a third copy file system (TCFS) stored on the local service storage device 248 of the node, i.e., a local copy of TCFS (L-TCFS). Illustratively, the configuration information may be stored as records of the CDB and embodied as a sequence (i.e., log) of configuration updates, wherein examples of the updates include (i) LUNs that have been created, (ii) mapping of the LUNs to various initiators/initiator groups, (iii) volume names, and (iv) a number of volumes. There may be multiple sources in the cluster that provide updates to a CDB record (e.g., a user creating a LUN and a node re-configuration). Further, these updates may occur at any time as, e.g., asynchronous events. There also may be internally generated CDB update events (i.e., log entries) representing configuration state changes, e.g., failure of a node, which are represented by one or more CDB configuration updates.

According to the Raft consensus-based protocol, a defined sequence (ordering) of the configuration updates is provided across the nodes of the cluster so as to enable tie-breaking (i.e., “third vote”). The consensus-based protocol is employed to ensure that these asynchronous events are ordered across all the nodes, i.e., to ensure that a situation does not occur where event A occurs before event B on one node, and event B occurs before event A on another node. For example, in response to a node failure, a higher-level cluster membership manager (not shown) may transmit a heartbeat (an HA-based heartbeat) used to detect failure of the node (i.e., the node does not respond to the heartbeat transmission within a defined timeout period). Detection of the node failure results in a CDB configuration update. The configuration update to the CDB, in turn, results in one or more update events using the consensus-based protocol. A majority of the nodes in the cluster accept the update events, which are illustratively organized as a cluster-wide consensus log representing the order of the events as they occur and commit. Although ordering is guaranteed at all times, global consistency is not, e.g., a node that may be out of synchronization for a few update events will eventually resynchronize in the proper order, i.e., consistency is eventually achieved. FIG. 7A illustrates the third vote consensus technique for a two-node cluster during nominal operation wherein each node has a vote (vote 730 a and 730 b) and third vote 730 c (owned by node 200 a) is generated according to the third vote consensus technique described herein.

FIGS. 7B and 7C illustrate the third vote consensus technique for a two-node cluster during failure of a node. In an embodiment, only one of the nodes may claim ownership of the shared TCFS (i.e., S-TCFS) to enable control and update to the CDB. Note that both nodes may have access to the storage devices (SSDs) 260; however such ownership of the S-TCFS may be implemented using disk reservations (e.g., SCSI-3 disk reservations). A leadership election policy in the consensus protocol may decide which node is the owner node, e.g., 200 a (FIG. 7A), although such decision is not strictly based on which node is a current leader. However, a common situation may occur in a two-node cluster where the leader node fails (FIG. 7C) while having control of the S-TCFS. In this situation, the other node may forcibly claim ownership of the S-TCFS from the failed node 200 a (FIG. 7C) using the disk reservations to fence off node 200 a.

Illustratively, a shared copy of the S-TCFS 720 is stored on the SSDs 260 of the storage arrays 150 coupled to the nodes 200 a,b. Because any SSD of the array(s) 150 may fail and be replaced (e.g., in accordance with operation of the RAID layer 360), the configuration information (i.e., consensus log) of the S-TCFS 720 is replicated (stored) across all SSDs of the arrays. Accordingly, the contents of the consensus log are illustratively replicated across all SSDs of a shelf (e.g., 24 SSDs), such that one representative copy of S-TCFS 720 is stored across the SSDs in the shelf. However, in an alternative embodiment, the contents of the consensus log may be mirrored across a subset of the SSDs, while in other embodiments, layouts other than mirroring, such as various RAID configurations or eraser code, may be used to store the log on the SSDs.

The local copy of the TCFS (i.e., L-TCFS) 710 a,b represents a quorum vote 730 a,c,d (vote 1) for each node 200 a,b of the cluster in order to effect changes to the CDB, while the S-TCFS 720 represents an additional “tie-breaker” vote 730 b,e of the consensus-based protocol. The additional vote may (i.e., vote 2) be obtained from the SSDs 260 by the surviving node (e.g., node 200 a in FIG. 7B and node 200 b in FIG. 7C) as a third vote 730 b,e (vote 2) to establish the quorum and enable the surviving node to cast two of three votes (i.e., a majority of votes) needed to continue operation of the cluster 100. That is, the majority of votes allows the surviving node to update the CDB 244 with the configuration information changes so as to continue proper operation of the cluster (i.e., successfully takeover from the failed node).

Although all the nodes may have access to the shared storage devices (via non-exclusive disk reservations), only one node of the cluster may obtain and become an owner of the S-TCFS and, thus, cast an additional vote according to the consensus-based protocol. For example (FIG. 7B), if the non-owner node 200 b of S-TCFS 720 fails, the owner node 200 a may still cast two votes, e.g., its L-TCFS vote 730 a and the S-TCFS vote 730 b, and the cluster may continue to operate. Since it controls the S-TCFS vote, the surviving owner node may cast two votes when there is a leader election, thereby rendering itself the owner. Accordingly, in response to a request to update the consensus log, the surviving node may cast two votes to ensure that there is a cluster-wide majority, thereby allowing the configuration update to proceed.

However, if the owner node 200 a of S-TCFS 720 fails (FIG. 7C), the non-owner node 200 b (i.e., the surviving node) may claim the tie-breaker vote 730 e (vote 2) through a “get out the vote” (GOTV) operation that fences (i.e., disallows access to) the failed node 200 a from the shared storage devices (e.g., storage array 150), thus preventing the failed (or otherwise malfunctioning) node from attempting to claim the S-TCFS 720. In an embodiment, the GOTV operation is driven by the consensus-based protocol, e.g., Raft. As soon as a node becomes uncommunicative and the HA-based heartbeat timeout period expires, the Raft protocol triggers the GOTV operation to obtain ownership of the shared SSDs away from the failing node and enable the surviving node to claim the 5-TCFS vote. Fencing may be implemented using disk reservations that facilitate removal of a specific node from an access list, e.g., exclusive disk reservations 740, which are asserted on the shared SSDs by the surviving node in a predetermined order to prevent a situation where each node fences a subset of the devices, resulting in deadlock. For example, assume that the failed node is still sufficiently operational to believe that it is the current leader, e.g., a “split brain” condition, and that it still claims the S-TCFS vote. Since communication with the current leader node is aborted, the non-leader node may attempt to obtain the S-TCFS vote. As a result, a race condition may arise where the two nodes attempt to mark each other “down” in the CDB, i.e., the nodes compete to obtain control of the S-TCFS. If the surviving node wins, the failed node is forced to re-discover who has control of the S-TCFS by, e.g., restarting. As part of the GOTV operation, the surviving node takes control of the S-TCFS 720 and claims the third vote 730 e (vote 2) needed to continue operation of the cluster.

While there have been shown and described illustrative embodiments of a third vote consensus technique that enables a first node, i.e., a surviving node, of a two-node cluster to establish a quorum and continue to operate in response to failure of a second node of the cluster, it is to be understood that various other adaptations and modifications may be made within the spirit and scope of the embodiments herein. For example, embodiments have been shown and described herein with relation to the two-node cluster. However, the embodiments in their broader sense are not so limited, and may, in fact, also allow for larger cluster configurations, such as a four-node cluster in two different configurations. One configuration may be a four-way HA group that is also a four-node cluster and the other configuration may involve two HA pairs. Note that sharing of the shared SSDs is based on the HA configuration, e.g., 2 pairs vs. 4 nodes in a group, where there may be either 1 or 2 storage pools and where the number of S-TCFS instances is based on the number of HA groups in the cluster, e.g., one S-TCFS instance per storage pool. Notably, each HA group maintains a separate consensus, so that only nodes within an HA group are eligible to be the owner of S-TCFS for that HA group; however any node in the cluster by may be leader.

The foregoing description has been directed to specific embodiments. It will be apparent, however, that other variations and modifications may be made to the described embodiments, with the attainment of some or all of their advantages. For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as software encoded on a tangible (non-transitory) computer-readable medium (e.g., disks, electronic memory, and/or CDs) having program instructions executing on a computer, hardware, firmware, or a combination thereof. Accordingly this description is to be taken only by way of example and not to otherwise limit the scope of the embodiments herein. Therefore, it is the object of the appended claims to cover all such variations and modifications as come within the true spirit and scope of the embodiments herein. 

What is claimed is:
 1. A system comprising: a cluster having a plurality of nodes, each node having a processor; a storage array having one or more shared storage devices coupled to each node of the cluster; a local storage device coupled to each node of the cluster; and a storage I/O stack executing on the processor of each node of the cluster, the storage I/O stack configured to: maintain a local copy of configuration information of the cluster on the local storage device, the local copy of the configuration information representing a quorum vote for each node of the cluster; obtain ownership of a shared copy of the configuration information stored on the storage array by an owner node of the cluster, the shared copy of the configuration information representing an additional vote used to establish a quorum for the cluster; and in response to the owner node failing, claim the additional vote represented by the shared copy of the configuration information at a surviving node of the cluster by fencing the failed node from the shared storage devices of the storage array.
 2. The system of claim 1 wherein the additional vote is a tie-breaker vote that enables the surviving node to cast a majority of the votes need to continue operation of the cluster.
 3. The system of claim 2 wherein the surviving node casts the majority of votes to update a configuration database of the cluster with changes to the configuration information.
 4. The system of claim 3 wherein the configuration information is embodied as a sequence of configuration updates resulting in one or more update events using a consensus-based protocol.
 5. The system of claim 4 wherein the update events are organized as a cluster-wide consensus log representing an order of the update events as they occur and commit.
 6. The system of claim 2 wherein the additional vote is a tie-breaker vote that is claimed by the surviving node through a predetermined operation that prevents the failed node from attempting to claim the shared copy of the configuration information stored on the storage array.
 7. The system of claim 6 wherein the predetermined operation is a get-out-the-vote operation driven by a consensus-based protocol.
 8. The system of claim 1 wherein fencing of the failed node is implemented using disk reservations asserted on the shared storage devices by the surviving node.
 9. The system of claim 9 wherein the disk reservations are asserted in a predetermined order to prevent a situation where each node fences a subset of the shared storage devices, resulting in deadlock in the cluster.
 10. The system of claim 1 wherein the plurality of nodes is organized as a two-node cluster.
 11. The system of claim 1 wherein the plurality of nodes is organized as a four-node cluster configured as a four-way high availability group.
 12. The system of claim 1 wherein the plurality of nodes is organized as a four-node cluster configured as two high availability pairs of nodes.
 13. A method comprising: organizing a plurality of nodes as a cluster, each node of the cluster coupled to a storage array having one or more shared storage devices, each node further coupled to a local storage device; maintaining a local copy of configuration information of the cluster on the local storage device, the local copy of the configuration information representing a quorum vote for each node of the cluster; obtaining ownership of a shared copy of the configuration information stored on the storage array by an owner node of the cluster, the shared copy of the configuration information representing an additional vote used to establish a quorum for the cluster; and in response to the owner node failing, claiming the additional vote represented by the shared copy of the configuration information at a surviving node of the cluster by fencing the failed node from the shared storage devices of the storage array.
 14. The method of claim 13 wherein the additional vote is a tie-breaker vote that enables the surviving node to cast a majority of the votes need to continue operation of the cluster.
 15. The method of claim 14 wherein the surviving node casts the majority of votes to update a configuration database of the cluster with changes to the configuration information.
 16. The method of claim 15 further comprising embodying the configuration information as a sequence of configuration updates resulting in one or more update events using a consensus-based protocol.
 17. The method of claim 16 further comprising organizing the update events as a cluster-wide consensus log representing an order of the update events as they occur and commit.
 18. The method of claim 13 further comprising using disk reservations asserted on the shared storage devices by the surviving node to implement the fencing of the failed node.
 19. The method of claim 18 wherein using the disk reservations comprises asserting the disk reservations in a predetermined order to prevent a situation where each node fences a subset of the shared storage devices, resulting in deadlock in the cluster.
 20. A non-transitory computer readable medium including program instructions for execution on a processor of a storage system, the program instructions configured to: organize a plurality of nodes as a cluster, each node of the cluster coupled to a storage array having one or more shared storage devices, each node further coupled to a local storage device; maintain a local copy of configuration information of the cluster on the local storage device, the local copy of the configuration information representing a quorum vote for each node of the cluster; obtain ownership of a shared copy of the configuration information stored on the storage array by an owner node of the cluster, the shared copy of the configuration information representing an additional vote used to establish a quorum for the cluster; and in response to the owner node failing, claim the additional vote represented by the shared copy of the configuration information at a surviving node of the cluster by fencing the failed node from the shared storage devices of the storage array. 